CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 3CVE-2021-36224
https://notcve.org/view.php?id=CVE-2021-36224
06 Feb 2023 — Western Digital My Cloud devices before OS5 have a nobody account with a blank password. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 3CVE-2021-36225
https://notcve.org/view.php?id=CVE-2021-36225
06 Feb 2023 — Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 3CVE-2021-36226
https://notcve.org/view.php?id=CVE-2021-36226
06 Feb 2023 — Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 4.9EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29838 – Authentication issue with the encrypted volumes and auto mount feature in My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29838
09 Dec 2022 — Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. La vulnerabilidad de autenticación inadecuada en los volúmenes cifrados y las funciones de montaje automático de los dispositivos Western Digital My Cloud permite un acceso directo inseguro a la información de la... • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-29839 – Remote Backups Application Discloses Stored Credentials
https://notcve.org/view.php?id=CVE-2022-29839
09 Dec 2022 — Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. Vulnerabilidad de credenciales insuficientemente protegidas en la aplicación de copias de seguridad remotas en dispositivos Western Digital My Cloud que podría permitir que un ... • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22994 – Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22994
28 Jan 2022 — A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. Se ha detectado una vulnerabilidad de ejecución de código remota en los dispositivos My Cloud de Western Digital donde un atacante podía engañar a un dispositivo NAS para cargar... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22993 – Limited Server-Side Request Forgery vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22993
28 Jan 2022 — A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. Se ha detectado una vulnerabilidad de tipo SSRF limitada en los dispositivos My Cloud de Western Digital que podía permitir a un atacante hacerse pasar por un servidor y llegar a cualquier página del mismo omitiendo los controles de acces... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22992 – Command Injection Remote Code Execution vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22992
17 Jan 2022 — A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input. Se ha detectado una vulnerabilidad de ejecución de código remota por inyección de comandos en los dispositivos My Cloud de Western Digital que podría permitir a un atacante ejecutar comandos arbitrarios del sistema e... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.8EPSS: 2%CPEs: 11EXPL: 0CVE-2022-22990 – Limited authentication bypass vulnerability on Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-22990
13 Jan 2022 — A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts. Se ha detectado una vulnerabilidad de omisión de autenticación limitada que podría permitir a un atacante lograr una ejecución de código remota y escalar privilegios en los dispositivos My Cloud. Se ha abordado esta vulnerabilid... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-287: Improper Authentication CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22991 – Command injection through unsecured HTTP calls on Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-22991
13 Jan 2022 — A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP. Un usuario malicioso en la misma LAN podría usar una suplantación de DNS seguida de un ataque de inyección de comandos para engañar a un dispositivo NAS para que sea cargado mediante una llamada HTTP no segura. Se ha abordado esta vulnerabilidad al deshabilitar l... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •